Wednesday, April 13, 2011

Configuring Dell 54xx and 62xx switches for https.

At work, we recently acquired 3 Dell switches, a 6248P, a 5424 and a 5448.  Based on some older Dell switches we own, Dell has come a long way with their switches.

Hopefully everyone knows that plaintext protocols are terrible for securely managing devices.  These switches are capable of SSH, telnet, http and https.  SSH is sufficient for remote management of  the switch, but if you need or want a GUI (girls use it) interface, https is the only way to go.  Since Dell doesn't have anything in their documentation about setting it up, and I wasn't able to find a complete configuration guide for enabling https, I thought I'd share what it took for me to get it going.  This guide assumes you have already configured the switch for ssh access, or that you are managing the switch from the console cable.

Once you've logged into your switch, you will see a prompt like this:  hostname#, where hostname is the name you've assigned to your switch.

First you need to verify that the time is set correctly.  Show clock will tell us if it is. 
Dell5424#show clock
*00:58:11 (UTC+0)  Jan 1 2000
No time source
My switch was not set.  You can set it manually with the clock set command.
Dell5424# clock set 15:37:00 apr 13 2011
Alternatively, you can configure the switch for simple network time protocol, or sntp.
 Dell5424(config)# clock source sntp
Dell5424(config)# sntp server x.x.x.x poll  where x.x.x.x is the ip address of the server you want to get sntp info from
Dell5424(config)# sntp client enable vlan 1 
Dell5424(config)# clock timezone -5 zone EST
Dell5424(config)# clock summer-time recurring usa zone EDT
Dell5424(config)# sntp unicast client enable
Dell5424(config)# sntp unicast client poll

Now we can verify that the time settings took

Dell5424(config)# exit
Dell5424# show clock detail
 11:47:30 EDT(UTC-5)  Apr 13 2011
Time source is sntp

Time zone:
Acronym is EST
Offset is UTC-5

Acronym is EDT
Recurring every year.
Begins at 02 01 03 02:00.
Ends at 01 01 11 02:00.
Offset is 60 minutes.
Dell5424#show sntp status

Client Mode:                       Unicast
Last Update Time:                  APR 13 15:40:00 2011

Unicast servers:
Server          Status                 Last response
--------------- ---------------------- --------------------------
x.x.x.x    Success                15:40:00 Apr 13 2011


Now we need to generate the certificate for the web server to use to secure the connection.

Dell5424# conf
Dell5424(config)# crypto certificate 1 generate generate-key  here I'm generating a certificate for slot 1, but you can use either 1 or 2 after certificate.
We need to assign the newly generated certificate to the https server, turn the server on and disable the http server.

Dell5424(config)# ip https certificate 1
Dell5424(config)# ip https server
Dell5424(config)# no ip http server

Of course, don't forget to save your work!

 Dell5424# copy running-config startup-config
Overwrite file [startup-config] ?[Yes/press any key for no]....13-Apr-2011 16:05:55 %COPY-I-FILECPY: Files Copy - source URL running-config destination URL flash://startup-config
13-Apr-2011 16:06:01 %COPY-N-TRAP: The copy operation was completed successfully
Copy succeeded

On the 62xx series switches, the commands are slightly different.

Dell6248P(config)#sntp server x.x.x.x poll
Dell6248P(config)#sntp unicast client enable
Dell6248P(config)#clock timezone hours-offset -5 EST
Dell6248P(config)#clock timezone -5 zone EST
Dell6248P(config)#clock summer-time recurring usa zone EDT
Dell6248P#show clock
16:18:38 EDT(UTC-4:00) Apr 13 2011
Time source is SNTP

Dell6248P(config)#crypto certificate 1 generate
Dell6248P(config-crypto-cert)# exit

Dell6248P(config)# ip https certificate 1
Dell6248P(config)# ip https server
Dell6248P(config)# no ip http server

Dell6248P#copy running-config startup-config
This operation may take a few minutes.
Management interfaces will not be available during this time.
Are you sure you want to save? (y/n) y
Configuration Saved!

Coming from the Cisco world where typing "ip http secure-server" generates the certificate, assigns it to the web server and enables the web server, this was a bit more complicated.  Hopefully this will help someone else configure their gear to be more secure.

NOTE:  Following the steps in this tutorial will generate self-signed certificates on your switches.  Because the certificates are issued by a non-trusted CA, your browser will display an error when you navigate to those pages.  Because of that, these certificates may not be appropriate in your environment.  There are commands to generate certificate requests that can be used to obtain certificates from a trusted authority, I'll publish a tutorial about that sometime in the future.

Sunday, April 10, 2011

A little about this blog and me.

I am a corporate network and server administrator at a consulting firm.  I am beginning a project to leverage  the technologies we already have in place.   My goal is to design and implement a solution that includes intrusion detection, log management, event correlation, config management and better visibility into how our network is operating.  As I embark on this project, I plan to write about the process, from product decisions to deployment and configuration.  I hope you find this information helpful.